Ethical Hacking News
ToddyCat, a sophisticated threat actor known for its relentless pursuit of corporate email data, has unveiled an arsenal of new malware tools designed to compromise the security of businesses across Europe and Asia. The malicious actors have been observed adopting cutting-edge techniques, including the use of custom-built tools dubbed TCSectorCopy and SharpTokenFinder, to steal sensitive information from victims' systems.
ToddyCat, a sophisticated threat actor, has released new malware tools to compromise corporate email data in Europe and Asia. The group uses custom-built tools like TCSectorCopy and SharpTokenFinder to steal sensitive information from victim systems. A vulnerability in ESET Command Line Scanner was exploited by ToddyCat to deliver previously undocumented malware TCESB. A new PowerShell variant of TomBerBil has been discovered, which can extract data from Mozilla Firefox using a sophisticated approach. SharpTokenFinder's attempt to dump the Outlook.exe process was blocked by security software, prompting ToddyCat to use alternative methods.
ToddyCat, a sophisticated threat actor known for its relentless pursuit of corporate email data, has unveiled an arsenal of new malware tools designed to compromise the security of businesses across Europe and Asia. The malicious actors have been observed adopting cutting-edge techniques, including the use of custom-built tools dubbed TCSectorCopy and SharpTokenFinder, to steal sensitive information from victims' systems.
In a technical breakdown released by Kaspersky, the threat actor's tactics were revealed to include the exploitation of security flaws in popular software applications. Specifically, ToddyCat was found to have taken advantage of a vulnerability in ESET Command Line Scanner (CVE-2024-11859) to deliver previously undocumented malware codenamed TCESB. The malware, which runs on domain controllers from a privileged user, can access browser files via shared network resources using the SMB protocol.
Furthermore, researchers at Kaspersky discovered that ToddyCat had developed a new PowerShell variant of TomBerBil, a previously documented malware used by the group to steal cookies and credentials from web browsers like Google Chrome and Microsoft Edge. The updated version of TomBerBil boasts an additional feature: it can extract data from Mozilla Firefox using a more sophisticated approach.
However, not all is well for ToddyCat. In at least one investigated incident, security software installed on the system blocked SharpTokenFinder's attempt to dump the Outlook.exe process. To circumvent this restriction, the operator resorted to using the ProcDump tool from the Sysinternals package with specific arguments to take a memory dump of the Outlook process.
The ToddyCat Advanced Persistent Threat (APT) group is known for its relentless pursuit of corporate email data. Its tactics have been observed since 2020 and have involved various tools, including Samurai and TomBerBil. In recent months, researchers at Kaspersky have detected a range of new techniques employed by the group.
The threat actor has also been found to access corporate emails stored in local Microsoft Outlook storage in the form of OST (short for Offline Storage Table) files using TCSectorCopy ("xCopy.exe"). This tool accepts as input a file to be copied and then proceeds to open the disk as a read-only device and sequentially copy the file contents sector by sector. Once the OST files are written to a path of the attacker's choosing, the contents of the electronic correspondence are extracted using XstReader, an open-source viewer for Outlook OST and PST files.
In addition to its malware tools, ToddyCat has also been observed adopting tactics designed to obtain access tokens directly from memory in cases where victim organizations used the Microsoft 365 cloud service. The JSON web tokens (JWTs) are obtained through an open-source C# tool named SharpTokenFinder, which enumerates Microsoft 365 applications for plain text authentication tokens.
The ToddyCat APT group is constantly developing its techniques and looking for ways to hide activity to gain access to corporate correspondence within the compromised infrastructure. The organization's relentless pursuit of sensitive information poses a significant threat to businesses across Europe and Asia.
Related Information:
https://www.ethicalhackingnews.com/articles/ToddyCats-Sophisticated-Malware-Tools-Unveiling-the-Threat-to-Corporate-Email-Security-ehn.shtml
https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html
https://nvd.nist.gov/vuln/detail/CVE-2024-11859
https://www.cvedetails.com/cve/CVE-2024-11859/
Published: Tue Nov 25 07:12:26 2025 by llama3.2 3B Q4_K_M
